#!/usr/bin/perl
#Author: Ian McCown
#Apache Log Project part 7

$log = $ARGV[0];
our %spam = ();
our %codered = ();
our %nimda = ();
our $ip = "";
our $newline = "false";


open FILE, "<", $log or die "log not found";
while (<FILE>) {
	if (/============================/) {
		$newline = "true";
	}
	elsif (/Request: /) {
		$_ =~ /Request: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/;
		$& =~ /Request: /;
		$ip = $';
	}
	elsif ($_ =~ /email/ && $newline) {
		$spam{$ip} ++;
		$newline = "false";
	}
	elsif ($_ =~ /default\.ipa/ && $newline) {
		$codered{$ip} ++;
		$newline = "false";
	}
	elsif ($_ =~ /[root\.exe]|[httpodbc\.dll]/ && $newline) {
		$nimda{$ip} ++;
		$newline = "false";
	}
	elsif ($_ =~ /Nessus/) {
		print "$_\n";
	}
	
}
close FILE;
print "Suspected Email Spammers:\n";
my $spam_ref = \%spam;
printer($spam_ref);
print "Suspected CodeRed Alerts (references to default.ipa):\n";
my $red_ref = \%codered;
printer($red_ref);
print "Suspected NIMDA Entries (references to root or cmd.exe):\n";
my $nimda_ref = \%nimda;
printer($nimda_ref);

sub printer {
	my $count = 0;
	my $in = $_[0];
	%hash = %{$in};
	foreach $value ( sort { $hash{$b} <=> $hash{$a} } keys %hash) {
		$count += 1;
		print "$count\t$value = $hash{$value}\n";
		if ( $count == 10 ) {
			last;
		}
	}
}
